Forum Discussion
Best practice basics for Labels and DLPs to protect company data
Hello experts, I've been doing some research and testing recently on Information protection and DLP as I would like to deploy it in our organization soon. I am very new into this and found lots o...
Have you looked into Information Barriers to prevent access between departments? I haven't used it, but it sounds relevant to this scenario.
I believe you are right about not using encryption for your default labels. DLP will be able to catch cases of items being shared externally in email or SharePoint.
In email, if you use a sensitivity label that applies encryption, the email sender and recipients will be able to decrypt. I believe this also explains why you can't use a label that has permissions already assigned.
I believe you are right about not using encryption for your default labels. DLP will be able to catch cases of items being shared externally in email or SharePoint.
In email, if you use a sensitivity label that applies encryption, the email sender and recipients will be able to decrypt. I believe this also explains why you can't use a label that has permissions already assigned.
thanks for the info .... Will have a look at Information Barriers...
about email - let me explain a bit more - When I create a new email, there is no label assigned. Now, I can assign public (it just label data, no encryption etc) and restricted (this one has access control that user should specify) etc. However, when I want to assign "Confidential" that is configured with "assign permission now" and permission is granted to "all user in organization only", this confidential label is not assigned to emails - it will not change from no label to confidential (outlook 365 app). So if I by mistake send email that should be labelled with confidential to external user, he will not be able to open it. ....Strange is that when I switch to New Outlook, I can assign confidential label to email with no issues....- so from what I can see - information barriers are quite restrictive, I can block access completely between departments (emails, teams, etc) which is not wat I want to do. My scenario would be more like: I have a LEGAL and HR department that are exchanging data that only these two departments can have access to. However, both departments can share some data with other departments.... This, as I understand, would not be possible with Information Barriers - as there is Allow / Block option only.
I was thinking about the two approaches below
1 - creating labels/sublabels like: Internal\LEGAL&HR in “Access Control” → and add those groups to have access to data labelled with it
2 - Or create an “Internal\LEGAL&HR” label and then DLPs with conditions to check label and groups and allow only if its for LEGAL and HR
not sure which would be more suitable... or recommended to use in my scenario 😕 ... Or what issues will I face if I select any of those two
Still cant find an answer on question - can I remove encryption if I select "Control Access" for a label and want to specify groups? Some older info mention it can be removed - and from what I saw some videos, there was an ENCRYPT option before... But now I just can't find how to use that access restrictions without automatically encrypting the data when I use ""assign permission now""- Addressing your points in order.
1. You can use mail rules to block emails going out with certain labels on: - https://office365itpros.com/2019/12/16/block-outbound-email-sensitivity-labels/. Also as you mentioned DLP rules can be used to remove external shares from labelled files.
2. You could have a label for that department. For example "Legal" and restrict access to only that department via a dynamic group. Be careful not to get too many labels using this approach. Try for 3-5 core labels as you mention then one or two at the most for each department (scoped only to that department). If you want to share them with others then have a "sharing" (sub) label that allows the users to define who gets the label. You could enforce any nuances with mail rules and DLP.
3. How soon after publishing these did you try in Outlook Online? They can take up to seven days to apply fully, some functionality may come before others.
4. Exactly that, the recipients get the required permissions (do not forward or encrypt only).
5. Ensuring labelling is appropriate for each partner should work. If the labels are encrypted for one partner and somebody accidentally emails them elsewhere, the recipient isn't going to be able to open them. Again, be careful of too many labels. There could be some mileage in configuring mail rules to say if this label (ABC company label) goes to "XYZ company" then block it.
